[Bug 246984] lang/python36,37: Fix CVE-2020-8492

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Jun 7 01:43:07 UTC 2020 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246984

Danilo G. Baio <dbaio at freebsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dbaio at freebsd.org

--- Comment #4 from Danilo G. Baio <dbaio at freebsd.org> ---
Hi.

Taking a look at this PR I noticed we have issues in CVE-2019-18348 as well.

And vuxml is currently wrong in both CVE's.

Simple table to explain:
-------------------------------------------------------------------------------
  2.7: 2.7.18         April 20, 2020   CVE-2019-18348 OK  /  CVE-2020-8492 OK
  3.5: 3.5.9          Nov. 2, 2019     CVE-2019-18348 MS  /  CVE-2020-8492 MS
  3.6: 3.6.9 (3.6.10) July 2, 2019     CVE-2019-18348 NR  /  CVE-2020-8492 NR
  3.7: 3.7.7          March 10, 2020   CVE-2019-18348 NR  /  CVE-2020-8492 NR   
  3.8: 3.8.3          May 13, 2020     CVE-2019-18348 OK  /  CVE-2020-8492 OK

  MS - Missing commit in upstream branch (PR open)
  NR - Next Release, commit is in the branch
-------------------------------------------------------------------------------

So we have to patch Python 3.7, update Python 3.6 to 3.6.10+patch and patch
Python 3.5 for both CVE's.

And fix vuxml ASAP:
 CVE-2019-18348, needs to add 3.5, 3.6 and 3.7 packages, they are all affected
in this moment.
 CVE-2020-8492,  3.7, needs to update the range, it's informing that 3.7.7 is
not affected.

There is a misunderstanding about CVE-2020-8492, in the CVE text it says "3.7
through 3.7.6", but they applied the fix after 3.7.7 and it's on the branch
waiting next release.


https://python-security.readthedocs.io/vuln/urlopen-host-http-header-injection.html
 (CVE-2019-18348)
 https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html  
(CVE-2020-8492)

3.5 - https://github.com/python/cpython/pull/19300  (CVE-2019-18348) PR open
3.5 - https://github.com/python/cpython/pull/19305  (CVE-2020-8492)  PR open

Both patches for 3.5 applied cleanly, but the PRs are still open, should we
test it and already add to the ports tree?

So in addition to Dani's patch, we need to also address CVE-2019-18348, I think
we can do this together.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

More information about the freebsd-python mailing list